Restricting content behind an API scope

We have the requirement of users consenting for 3rd party access to an api on their behalf, but also further filtering what content that application has access to. In the classic calendar example it would be like me granting read:appointments to an app, but also being able to specify that they only can read appointments with certain tags (public, doctor, private, etc.).

The obvious way I can think to handle it would be to store this information in our system and always use it to lookup the limitations after we have authenticated the request. Something like:

User AppId Access
Bob ABC123 [public, doctor]
Bob XYZ420 [private]
Sally XYZ420 [ kids ]

I guess conceivably this could be shoved into the user’s app metadata, and then encoded into the token with a rule?

{
    "app_access":{
         "ABC123":["public","doctor"],
         "XYZ420":["private"]
    }
}

That way all our APIs could decode the token and handle the filtering vs. needing to look it up in our database… But the code to manage adding and removing permissions would probably be more complicated vs. just putting it into sql.

Looking to see if there are any standard patterns or guidelines to accomplish this use case.